CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
52.7%
Matrix is an ecosystem for open federated Instant Messaging and VoIP.
Synapse is a reference “homeserver” implementation of Matrix. A malicious
or poorly-implemented homeserver can inject malformed events into a room by
specifying a different room id in the path of a /send_join
,
/send_leave
, /invite
or /exchange_third_party_invite
request. This
can lead to a denial of service in which future events will not be
correctly sent to other servers over federation. This affects any server
which accepts federation requests from untrusted servers. The Matrix
Synapse reference implementation before version 1.23.1 the implementation
is vulnerable to this injection attack. Issue is fixed in version 1.23.1.
As a workaround homeserver administrators could limit access to the
federation API to trusted servers (for example via
federation_domain_whitelist
).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 20.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 22.04 | noarch | matrix-synapse | < any | UNKNOWN |
github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09
github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b
github.com/matrix-org/synapse/pull/8776
github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm
launchpad.net/bugs/cve/CVE-2020-26257
nvd.nist.gov/vuln/detail/CVE-2020-26257
security-tracker.debian.org/tracker/CVE-2020-26257
www.cve.org/CVERecord?id=CVE-2020-26257
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
52.7%